How to prepare for the next WannaCry
- 13 December, 2017 16:46
In May the WannaCry ransomware attack wreaked worldwide havoc, infecting and paralysing 230,000 computers across 150 countries. While the size of the attack reached record levels, it was its execution that set it apart from other cyber attacks. It didn’t force down the front door with a crushing distributed denial of service (DDoS) attack.
It didn’t poke and probe repeatedly until it found a chink in the security armour. Instead, WannaCry quietly targeted an obscure vulnerability in outdated Microsoft Windows operating systems.
One month later, the Petya and NotPetya ransomware attacks appeared, affecting computers in more than 65 countries, once again by targeting a preventable and patchable software vulnerability. Versions of the ransomware are reportedly available on thedarknet for distribution with an attractive 85/15 revenue split for the entrepreneurial cybercriminal, marking a disturbing new trend: ransomware-as-a-service.
Ransomware is now the most downloaded malware in the APAC in 2016. However, until recently, the big payoff for hackers centered around stealing sensitive data and selling it on the black market. However, the success of cyber crime meant that supply began to exceed demand, driving down prices as a result. So the criminals sought new revenue-generating opportunities and found a potential goldmine in ransomware.
The notion behind ransomware is simplicity personified: identify an enterprise, infiltrate its network by infecting as many devices as possible, seize control of all assets, and then sell back the assets to those who are willing to pay. The perpetrators of WannaCry even went so far as to increase the ransom as time went by.
It goes without saying that the people who will pay the most to retrieve their data are also those who need it the most. Hospitals, banks, government; none of these organisations can function properly if their networks are compromised. Ransomware affects everybody, companies and consumers alike. It is a paralysis that no company can afford.
A cyber attacker can cause complete destruction within an organisation by simply opening an email, downloading an attachment or clicking on what seems like a genuine link. In one simple step, the external control server now has power over the data, which they will then encrypt in order to generate a demand for ransom.
Phishing emails are known to be the biggest source of ransomware, with a 2016 report revealing that 93 percent contained some form of ransomware attack. These are becoming increasingly more sophisticated and, as a result, harder to spot. The emails are often personalised as well as mimic normal office conversations.
Once the ransomware is downloaded, the attack usually commences quickly, unlike data exfiltration malware. The encryption process is immediately followed by ransom demands, which usually instruct the victims to deposit payments in an untraceable bitcoin account.
Perhaps worst of all, there’s no grace period between attacks; victims can often be subjected to a second, third, or fourth ransomware attack, once their security vulnerabilities have been exposed.
Whilst there is no way to prevent being targeted with a ransomware threat, companies can take a series of steps to stop it from impacting their business to the extent of WannaCry by implementing a multi-layered security approach to thwart future threats.
It is important to adopt a thorough, planned method to software patch updates and fixes. Frequent vulnerability and penetration testing from an experienced outside agent is also crucial, as is making sure to update and store versions of backup data offline. You can also install DDoS network protection and phishing prevention tools.
Another big preventative measure is to install a recursive DNS server. This manages outgoing network communications, such as a request to visit a website by looking up and connecting to the IP address of the external site in question. Recursive DNS servers are increasingly used for security, blocking access to corrupt sites. So many ransomware attacks rely on communicating with the external control server to initiate encryption; recursive DNS servers can simply block the request to activate them.
However, it is important to choose the correct server as not all of them perform in the same way. UltraRecursive DNS, such as the one provided by Neustar, blocks the request necessary to activate ransomware by blocking communication with external command and control (C&C) servers, leaving injected ransomware idle.
In addition, UltraRecursive DNS can create and implement security policies that block unauthorised content/access from any device, including remote and mobile devices, using updated third-party threat intelligence.
Ransomware has been infiltrating our systems for three decades and it is unlikely that we will ever be able to put a complete stop to these cyber attacks. However, by putting certain security measures in place, we can go some way to winning the battle.